Addressing Vulnerabilities Reported by Medicare Benefit Integrity Contractors
As of January 2011, CMS had not resolved or taken significant action to resolve 77 percent of vulnerabilities reported by contractors in 2009. Of the 62 vulnerabilities reported by contractors in 2009, 77 percent (48 of 62) had not yet been resolved as of January 2011, nor had CMS taken significant action to resolve them. CMS took significant action to resolve 14 of the 62 vulnerabilities, but only 2 of these had been fully resolved by January 2011.
One way that Medicare benefit integrity contractors help prevent fraud, waste, and abuse is by identifying program vulnerabilities. For this study, we identified the actions that CMS took to resolve vulnerabilities reported by Program Safeguard Contractors, Zone Program Integrity Contractors, and Medicare Drug Integrity Contractors in 2009. We also determined the monetary impact of these vulnerabilities and reviewed CMS's policies and procedures for tracking, reviewing, and resolving reported vulnerabilities.
Contractors reported monetary impact for only one-third of vulnerabilities, but their estimated impact was $1.2 billion. The estimated impacts of individual vulnerabilities ranged from $77,692 to $803,025,113. None of these vulnerabilities had been fully resolved as of January 2011. Although CMS has taken significant action to resolve four of these vulnerabilities, two of which had the largest monetary reported impact ($803 million and $99 million), implementation of corrective actions for these two vulnerabilities will not be complete until 2012. Because contractors reported monetary impact inconsistently or not at all, the actual monetary impact of the vulnerabilities reported in 2009 could be significantly greater than $1.2 billion.
Although CMS has procedures to consistently track and review vulnerabilities, it lacks procedures to ensure that vulnerabilities are resolved. The three CMS divisions that are responsible for tracking and reviewing vulnerabilities each have procedures that outline the general steps they take to track and review vulnerabilities. However, although contractors have been submitting vulnerability reports since at least 2007, CMS did not begin developing procedures until 2010. Furthermore, only one of the three divisions has developed procedures to follow up on the implementation of corrective actions.
Therefore, we recommend that CMS (1) determine the status of all vulnerabilities that have not been resolved and take action to address them; (2) require all benefit integrity contractors to report monetary impact, when calculable, in a consistent format; and (3) ensure that vulnerabilities are resolved by establishing formal written procedures that include timeframes for follow up and that outline CMS and contractor responsibilities regarding vulnerability resolution. CMS concurred with our first recommendation, did not concur with our second recommendation, and partially concurred with our third recommendation.